Cryptography-Digest Digest #80, Volume #9 Sun, 14 Feb 99 20:13:03 EST
Contents:
Re: RNG Product Feature Poll (Herman Rubin)
Export Laws ("jmp")
Have you ever had your account cancelled for SPAM? ("Bruce Christensen")
Re: RNG Product Feature Poll (R. Knauer)
The Cracking of Keeper (JPeschel)
Re: Factoring Complex Numbers (Lee Winter)
Re: RNG Product Feature Poll (Lee Winter)
Re: Foodfight! (Lee Winter)
--- sci.crypt charter: read before you post (weekly notice) (D. J. Bernstein)
Re: RNG Product Feature Poll (Lee Winter)
Re: New high-security 56-bit DES: Less-DES (Lee Winter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: RNG Product Feature Poll
Date: 14 Feb 1999 11:32:55 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 13 Feb 1999 08:48:18 -0500, [EMAIL PROTECTED] (Herman
>Rubin) wrote:
>>>Independence means there are no correlations and equidistributed means
>>>there is no bias. Numbers that have no bias or correlation cannot be
>>>predicted, which means they are proveably secure for use in crypto.
>>This is very definitely NOT the case. Lack of correlation only involves
>>pairs of random variables, while there exist n-tuples of random variables
>>such that any n-1 are independent, but any one can be determined from
>>the others. This definitely applies ot random bits.
>Perhaps you can define correlation for us so we can clear this matter
>up. A few people on sci.crypt, including me, believe that correlation
>extends beyone just pairs of random variables.
Correlation is a standard term in both probability and statistics.
The correlation of X and Y is their covariance divided by the product
of their standard deviations. It is a measure of how good a linear
function of one predicts the other.
I do not know how old this term is, but it certainly has had this
meaning for more than a century.
>I do not believe we are restricted to your use of the term.
It is generally not a good idea, when using a branch of mathematics,
to take a term which has a standard meaning there and use it in a
different sense, especially without making a good formal definition.
>Bob Knauer
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: "jmp" <[EMAIL PROTECTED]>
Subject: Export Laws
Date: Sun, 14 Feb 1999 12:13:27 -0500
to all:
The U.S. administration feels that cryptography related source code on
an electronic medium differs from the exact same expression in printed form.
They contend that the difference is such that one form is "free speech"
and the other is a "product."
Question: why not lump all your source code
togather into one big file in the Adobe Acrobat format,
and export that? There would then be NO difference at all except for the
media. (No difference in layout)
jmp
------------------------------
From: "Bruce Christensen" <[EMAIL PROTECTED]>
Subject: Have you ever had your account cancelled for SPAM?
Date: Sun, 14 Feb 1999 20:31:02 GMT
This is a multi-part message in MIME format.
=======_NextPart_000_000F_01BE581E.7648D3A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=======_NextPart_000_000F_01BE581E.7648D3A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type><!doctype html public "-//w3c//dtd html 4.0 =
transitional//en">
<META content=3D'"MSHTML 4.72.3612.1700"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV></BODY></HTML>
=======_NextPart_000_000F_01BE581E.7648D3A0==
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Sun, 14 Feb 1999 22:11:41 GMT
Reply-To: [EMAIL PROTECTED]
On 14 Feb 1999 11:32:55 -0500, [EMAIL PROTECTED] (Herman
Rubin) wrote:
>Correlation is a standard term in both probability and statistics.
>The correlation of X and Y is their covariance divided by the product
>of their standard deviations. It is a measure of how good a linear
>function of one predicts the other.
>I do not know how old this term is, but it certainly has had this
>meaning for more than a century.
>It is generally not a good idea, when using a branch of mathematics,
>to take a term which has a standard meaning there and use it in a
>different sense, especially without making a good formal definition.
I agree fully. There is enough confusion in crypto as it is, much less
introducing more. But this is cryptography, not statistical
mathematics, so the definition used by cryptographers should suffice.
Turning to the crypto bible, written by Schneier, I find entries for
"correlation" on page 380 and page 425, both relating to stream
ciphers, which is the subject at hand. Please check Schneier's book
and see if your meaning is the same as cryptographers use.
Also see the articles posted on Terry Ritter's excellent crypto site,
namely:
+++++
Correlation: In general, the probability that two sequences of
symbols will, in any position, have the same symbol. We expect two
random binary sequences to have the same symbols about half
the time.
One way to evaluate the correlation of two real-valued sequences is to
multiply them together term-by-term and sum all results. If we do this
for all possible "delays" between the two sequences, we get a "vector"
or 1-dimensional array of correlations which is a convolution. Then
the maximum value represents the delay with the best correlation.
+++++
I do not believe the meaning of the term correlation in crypto is as
restrictive as you use it, but I am interested in finding if I am
wrong - and why.
Bob Knauer
"Of all tyrannies, a tyranny exercised for the good of its victims may
be the most oppressive. It may be better to live under robber barons
than under omnipotent moral busybodies. The robber baron's cruelty may
sometimes sleep, his cupidity may at some point be satiated; but those
who torment us for our own good will torment us without end, for they
do so with the approval of their consciences."
--C.S. Lewis
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: The Cracking of Keeper
Date: 14 Feb 1999 22:52:10 GMT
I've just added Casimir's newest essay,
"The Cracking of Keeper" to the "Key
Recovery Resources" section of my site.
He writes, "Well, i would not give a
penny for their crypto-software, but
i'd really like to know what drug(s)
they're using {:-)"
I should also note that Casimir's essay,
"CRACKING OF ENCRYPT-IT FOR WINDOWS"
was included, in part, in Randy Nichols'
book, <i>ICSA Guide to Cryptography<i>,
Chapter 21, pp. 617-624.
You can order the book through Amazon:
http://www.amazon.com/exec/obidos/ASIN/0079137598/comsecsolutionsc/002-886
7828-3465825
and while you're at it, you might buy
AMZN on dips -- no need for cryptogeeks
to be poor. :-)
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
Date: Sun, 14 Feb 1999 19:02:04 -0500
From: Lee Winter <[EMAIL PROTECTED]>
Subject: Re: Factoring Complex Numbers
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> "Wm. Toldt" <[EMAIL PROTECTED]> wrote:
> > Trevor Jackson, III wrote:
> >
> > > How do you feel about factoring complex numbers whose terms are
> > > integral?
> >
> > (This was in thread "Re: Clarification on PGP. pls")
> >
> > I never tried that, but here is an example:
>
> stuff deleted...
>
> > I do not feel good about this problem. How would I
> > factor 2380i-1884 or even know is a unique
> > factorization exists?
>
> Because Q(i) has class number 1. Therefore factorization is unique.
>
> > Maybe there are
> > several complex factors which give
> > the same result.
>
> Nope. There is a unique way to factor every Gaussian integer (up to
> multiplication by units, of course) into prime ideals. All ideals are
> principal.
>
> And the factorization is (as) easy as factoring ordinary integers. Just
> factor the norm.
I interpret your statement to imply that, for cryptographic purposes, the
concept reduces to that of existing ciphers based on integer factorization.
Is my interpretation accurate?
------------------------------
Date: Sun, 14 Feb 1999 19:15:35 -0500
From: Lee Winter <[EMAIL PROTECTED]>
Subject: Re: RNG Product Feature Poll
Dave Knapp wrote:
> R. Knauer wrote:
> >
> > On Fri, 12 Feb 1999 06:23:47 -0500, "Trevor Jackson, III"
> > <[EMAIL PROTECTED]> wrote:
> >
> > >A white, uniform generator might work, but that phrase will
> > >trigger a lot of questions of the form "please define white"
> > >and "please definer uniform".
>
> > I believe the term "uniform distribution" is well defined in
> > statistics. However, as Li and Vitanyi point out in their book on
> > Kolmogorov Complexity, it is not sufficient to characterize
> > randomness.
>
> That's why you _specify_ a *random* uniform generator, instead of just a
> uniform generator.
>
> Random implies no correlation, and uniform implies no bias.
>
> Why are you guys making this so complicated?
>
> I understand that it is difficult, a priori, to establish whether a
> particular source is random or not. But that complexity does NOT affect
> the _definition_ of "random," which is quite solid. There are many ways
> to express it; but fundamentally, it means lack of correlation.
>
We are not making this issue more complicated, we are exploring and
explaining some of the subtlties in the definition of "random". In
statistics randomness usually means lack of correlation. In information
theory, of which cryptology is a subset, randomness means entropy.
The distinction is that entropy implies lack of correlation, but the reverse
is not true. correlation may exist, but we will not test for it unless we
suspect it. We will not find it unless we test for it. Thus we can only
find those correlations that we suspect exist. This is why the statistical
defninition, lack of (detectable) correlation, is usually not considered
adequate for crypto purposes.
This issue is not complicated, but it is subtle. Thus it appears to be a
mountain from a molehill, but the small distinction has enormous impact on
the acceptability of key generation and similar issues.
------------------------------
Date: Sun, 14 Feb 1999 19:18:40 -0500
From: Lee Winter <[EMAIL PROTECTED]>
Subject: Re: Foodfight!
Now *THAT* 's an ignition source. Where's the accelerant?
Ken Blangert wrote:
> R. Knauer wrote:
> >
> > On Sat, 13 Feb 1999 18:25:30 GMT, Dave Knapp <[EMAIL PROTECTED]> wrote:
> >
> > >> That's because it is a complicated subject. The closest one comes to
> > >> crypto-grade randomness is Quantum Mechanics, a very complicated
> > >> subject indeed.
> >
> > >And one with which I am _far_ more familiar than you, FWIW.
> >
> > >I don't know whether to laugh or cry about the above. It's just so...
> > >so... wrong? Stupid? Ignorant? All of these?
> >
> > >Enjoy your Deep Metaphysical Discussion.
> >
> > Another Flame Twit, eh.
> >
> > <plonk>
> >
> > Bob Knauer
>
> Windbag: a loquations, usually pompous person who has little to say.
>
> Come on David Hamilton and Paul Allen, join the fun! This self appointed
> random number expert always needs the last word: a perpect taget for a
> slug-fest. These random threads could go on forever, so join in the fun.
> It is a very difficult concept, randomness, so it must be pounded into
> our heads over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and over and over and over and
> over and over and over and over and over and ....
>
> RTFB
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Crossposted-To: talk.politics.crypto
Subject: --- sci.crypt charter: read before you post (weekly notice)
Date: 14 Feb 1999 06:00:39 GMT
sci.crypt Different methods of data en/decryption.
sci.crypt.research Cryptography, cryptanalysis, and related issues.
talk.politics.crypto The relation between cryptography and government.
The Cryptography FAQ is posted to sci.crypt and talk.politics.crypto
every three weeks. You should read it before posting to either group.
A common myth is that sci.crypt is USENET's catch-all crypto newsgroup.
It is not. It is reserved for discussion of the _science_ of cryptology,
including cryptography, cryptanalysis, and related topics such as
one-way hash functions.
Use talk.politics.crypto for the _politics_ of cryptography, including
Clipper, Digital Telephony, NSA, RSADSI, the distribution of RC4, and
export controls.
What if you want to post an article which is neither pure science nor
pure politics? Go for talk.politics.crypto. Political discussions are
naturally free-ranging, and can easily include scientific articles. But
sci.crypt is much more limited: it has no room for politics.
It's appropriate to post (or at least cross-post) Clipper discussions to
alt.privacy.clipper, which should become talk.politics.crypto.clipper at
some point.
There are now several PGP newsgroups. Try comp.security.pgp.resources if
you want to find PGP, c.s.pgp.tech if you want to set it up and use it,
and c.s.pgp.discuss for other PGP-related questions.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt. Try alt.security.
Other relevant newsgroups: misc.legal.computing, comp.org.eff.talk,
comp.org.cpsr.talk, alt.politics.org.nsa, comp.patents, sci.math,
comp.compression, comp.security.misc.
Here's the sci.crypt.research charter: ``The discussion of cryptography,
cryptanalysis, and related issues, in a more civilised environment than
is currently provided by sci.crypt.'' If you want to submit something to
the moderators, try [EMAIL PROTECTED]
---Dan
------------------------------
Date: Sun, 14 Feb 1999 19:25:11 -0500
From: Lee Winter <[EMAIL PROTECTED]>
Subject: Re: RNG Product Feature Poll
Herman Rubin wrote:
> In article <[EMAIL PROTECTED]>,
> R. Knauer <[EMAIL PROTECTED]> wrote:
> >On Fri, 12 Feb 1999 05:56:40 GMT, Dave Knapp <[EMAIL PROTECTED]> wrote:
>
> >>A random uniform generator is what you are looking for.
>
> >That's a bit circular, isn't it?
>
> >And the digits in Champernowne's number are almost uniform with regard
> >to bit groups, yet it is hardly a candidate for a TRNG.
>
> >I like the term "equiprobable" because it imparts the concepts of
> >independence and equidistributed in one word. I believe independence
> >and equidistributed are sufficient for a crypto-grade TRNG.
>
> >Independence means there are no correlations and equidistributed means
> >there is no bias. Numbers that have no bias or correlation cannot be
> >predicted, which means they are proveably secure for use in crypto.
>
> This is very definitely NOT the case. Lack of correlation only involves
> pairs of random variables, while there exist n-tuples of random variables
> such that any n-1 are independent, but any one can be determined from
> the others. This definitely applies ot random bits.
This appears to define n-tuples with an entropy density of (n-1)/n. Perhaps we
should use entropy density as the fundamental concept and attribute the fraction
of non-entropic data (that which is not information in Shannon's sense) to
sources of bias, correlation/dependence, etc.
------------------------------
Date: Sun, 14 Feb 1999 19:40:01 -0500
From: Lee Winter <[EMAIL PROTECTED]>
Subject: Re: New high-security 56-bit DES: Less-DES
TONY BARTOLETTI wrote:
> [EMAIL PROTECTED] wrote:
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > 2. To send a message to Alice, Bob forms the first part of his
> > > desired message as a plaintext block of 64 bits:
> > >
> > > M1 = 0123...63
> >
> > I'd suggest the first block should carry 64-M bits of plaintext
> > (like the others) and M bits of random padding, in order to
> > resist known plaintext attack. If we can't add random bits, for
> > fear they will be deemed "key", we could defend against partially
> > known plaintext by taking the M-bit pad from a hash of the entire
> > message.
> >
> > > The Less-DES protocol may answer concerns regarding possibly
> > > diverging interpretations of export-free or WA terms -- since there
> > > is no additional key in Less-DES, of any kind, not even ignored, when
> > > security is enhanced from the 56-bit level.
> >
> > Alas, the way the regulations are implemented in the US, it's the
> > government's interpretation that carries the day. The rules do not
> > say that 56-bit or even 40-bit encryption systems are freely
> > exportable, and neither does the latest statment of intentions to
> > "relax" export restrictions.
> >
> > Instead, there's a "one-time review". The various agencies are under
> > no obligation to permit export based on adhearence to the letter of
> > the WA or even the agencies' own guidlines. If one wants to argue
> > that a system falls within legal limits, he'll be making that argument
> > to government cryptographers.
>
> Yes, I tend to agree. They define what the rules mean, case-by-case.
>
> But this argues for Ed's first (bit more cumbersome) proposal, M-DES.
> Everyone just uses plain-old-already-approved DES. But there is an
> "established" table of 2^14 64-bit "random" strings published.
>
> I DES encrypt a message, but XOR all of the output blocks with one
> string randomly selected from the set of 2^14. I tell no one which
> string was used, only that I used "14-DES". Now everyone (attacker
> and intended recipient alike) have 2^14 times as much effort to expend
> as they did before, whatever the previous effort bias.
>
> I don't see any realistic way to regulate this practice. Nor can I
> see regulations on a "plug-in" filter that receives an M-DES message,
> and cycles through the XOR-strings as it passes each trial to DES.
> Its just too easy to write an XOR-machine and verify its correctness,
> so no need for export concerns.
>
> Of course, it may become a crime to deal in random numbers...
Now there's an ugly thought. Imagine Our Poor Vendor maniacally trying to
find a PRNG to generate random numbers that the government found in his
posession. Now imagine trying to explain the difference to the jury. Talk
about random outcomes...
;-)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
